All geek questions in one place

What is the point of using the linux access_ok () macro

I do some research, and I'm a little confused by this macro. Hope someone can give me some advice. I have ioctl code (which I inherited, but did not write), and the first thing it does is to check if access_ok() before proceeding to copy data from user space:

 #define __lddk_copy_from_user(a,b,c) copy_from_user(a,b,c) #define __lddk_copy_to_user(a,b,c) copy_to_user(a,b,c) long can_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { switch(cmd) { case COMMAND: if(! access_ok(VERIFY_READ, (void *)arg, sizeof(Message_par_t))) return(retval); if(! access_ok(VERIFY_WRITE, (void *)arg, sizeof(Message_par_t))) return(retval); argp = &Command; __lddk_copy_from_user( (void *) argp,(Command_par_t *) arg, sizeof(Command_par_t));

So the code works fine, but I'm not sure if it is needed. The first question comes from this description of return_ok return:

  • The function returns a nonzero value if the region is likely to be available (although access can still result in -EFAULT). This function simply checks that the address is likely in user space, and not in the kernel.

So, does this mean that it really does nothing to make sure that the pointer we are checking is possibly initialized in user space? Since we know that we could not enter this function, except for calling the user space, and this could not happen if we did not open the actual file descriptor of this device, is this really necessary? Is this really safer than just making sure we don't get a NULL pointer?

The second question comes from this description:

  • A type argument can be specified as VERIFY_READ or VERIFY_WRITE. The VERIFY_WRITE symbol also determines whether a memory area can be read as well as written.

Does this mean that the first check of my code is redundant? If we are going to check the writable area, will we get readability like a freebie?

I am using x86 architecture, so the definitions of access_ok () and __range_no_ok () are the names from / usr / src / linux -3.1.10-1.16 / arch / x86 / include / asm / uaccess.h as follows

 #define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0)) #define __range_not_ok(addr, size) \ ({ \ unsigned long flag, roksum; \ __chk_user_ptr(addr); \ asm("add %3,%1 ; sbb %0,%0 ; cmp %1,%4 ; sbb $0,%0" \ : "=&r" (flag), "=r" (roksum) \ : "1" (addr), "g" ((long)(size)), \ "rm" (current_thread_info()->addr_limit.seg)); \ flag; \ })
+5
source share
3 answers

If __lddk_copy_from_user() just calls copy_from_user() , then access_ok() is redundant because copy_from_user() does this on its own.

access_ok() ensures that the user space application does not request the kernel to read or write to the kernel addresses (this is an integrity / security check). The fact that the pointer was provided by user space does not mean that it is definitely a user space pointer - in many cases, a “kernel pointer” simply means that it points within a specific area of ​​the virtual address space.

In addition, calling access_ok() with VERIFY_WRITE implies VERIFY_READ , so if you check the first, you do not need to check the second either.

For this commit in 2019 , access_ok() does not have a long type argument, so the VERIFY_WRITE vs VERIFY_READ point is controversial.
+10
source

The access_ok macro is simply checking the validity of a pointer. For example, it will break erroneous calls with NULL or read-only arguments.

Ideally, the driver should be restored even if the access functions do not work. However, this can only happen after some expensive hardware operations. Therefore, checking at an early stage can make the driver more resistant to the most common user space programmer errors.

Edit: and yes, if your only input call is copy_from_user (), the checks are redundant. However, if there is a recording later, it is useful to check the right to record at the beginning.

And you really have to check the return value of copy_from_user ().

+1
source

This is not redundant. access_ok () checks the address, trying to read from this region. If the address is valid and exists in user space, it tries to read, otherwise the function returns EFAULT, which indicates that the address failed. This is a safer way to check access in regions rather than checking NULL (before you get any segmentation error that could cause your kernel to crash).

Alternatively, you can check read / write access using access_ok (). The second call simply checks for “record” access in that region.

+1
source

Source: https://habr.com/ru/post/1433446/

More articles:


All Articles